At 10:17 AM 3/14/00 , you wrote:
>Gene must have been eavesdropping on our meeting.
Nah, I simply know all and see all. :-)
Unfortunately, the view is frequently distressing.....
>We also considered things
>like ICQ, which is in permanent beta. We basically agreed that mere beta
>status is not a reason to exclude things from the CVE. The main criteria for
>inclusion would include length of life and wideness of availability. This
>does not mean we have to include every security bug in every short-lived
>"true" beta.
>
>Hope this clears things up.
>
>Andy
>----- Original Message -----
>From: Gene Spafford <spaf@CERIAS.PURDUE.EDU>
>To: Pascal Meunier <pmeunier@PURDUE.EDU>
>Cc: <cve-editorial-board-list@lists.mitre.org>
>Sent: Tuesday, March 14, 2000 8:50 AM
>Subject: Re: [CVEPRI] March 9-10 Editorial Board Meeting Summary
>
>
>> At 09:09 AM 3/14/00 , Pascal Meunier wrote:
>> >>The Board also reviewed CD:EX-BETA. Attendees agreed that CVE should
>> >>include problems in beta software, provided that the beta code was
>> >>intended for public dissemination.
>> >
>> >I missed that part. I would like to know why people think that bugs
>> >in admittedly buggy, pre-release, short-lived software run by a few
>> >people (on hopefully sandboxed or somehow protected or unimportant
>> >systems) should be of concern to the CVE.
>>
>> Unfortunately, the definition of "beta" that you used is not the one used
>> by most vendors any more (except the buggy part). Most vendors now
>> release traditionally-alpha code onto the net or in other widespread
>> release and lots of people adopt it. Mozilla and Windows 2000 are
>examples
>> of long-lived, widesprad releases of "beta" code.
>>
>> --spaf
>>